I am an IS group intern working at my fathers company over the summer. Basically i have a lot of downtime and an interest in pentest and security risk scenarios. So i talked to my boss and in my spare time i am working on i guess finding flaws in the system/just learning different stuff. I am a domain admin but i was interesting in trying to access domain accounts as if an outside person.

So far i was able to crack the local SAM passwords that are located on the workstations and able to login as a local administrator. However, i am having difficulties cracking the cached domain stores. I realize they are much harder due to them being salted though they take forever to crack. I even changed my domain acct pw to abc123 than cached those credentials and dumped them and it still says like 2+ days to crack within john. I also tried pass the cache in metasploit but kept hitting deadends because that program is still over my head as of right now.

I was wondering if there were any other type of methods that i could try. I know we use OneSign stores your domain password and instantly logs you into different networked programs when you launch them, but haven't been able to locate those pws. I have a basic knowledge of linux and wanted to get better. I am a SRA major at PSU but we havent gotten to the core level classes yet.


Oh were using xp workstations with 2003 AD's. Also i managed to set up a copy of are AD and an XP workstation into VMware and have been playing around primarily in there.